Date last updated: September 2023
OVERVIEW
Equifax Limited (“Equifax”) and its group company Consents Online Limited (“ConsentsOnline”) (collectively, “we”, “our” and “us”) are committed to protecting the privacy of users of our open banking services (“you”).
This Open Banking Privacy Notice (“Privacy Notice”) describes how and why we use personal data about you when we provide our open banking services, including to:
- help verify your identity;
- access your financial account transaction data, including bank accounts;
- conduct analysis of your data; and
- share information with third parties where you have granted those third parties with access to your data.
You should read this Privacy Notice to understand what we are doing with your personal data, the basis on which we undertake such use, who we share your data with and your rights in relation to your personal data.
“Personal data” is any information that relates to an identifiable natural person. Your name, address, contact details and financial data are all examples. The term “process” means any activity relating to personal data, including (for example) its collection, storage, transfer or other use.
Both ConsentsOnline and Equifax are so-called independent “Controllers” of your personal data. This means that we each make decisions about how and why we process your personal data and because of this, we are responsible for making sure that it is used in accordance with data protection laws.
EQUIFAX’S OTHER PRIVACY POLICIES
This Privacy Notice only concerns use of your personal data in relation to the open banking services provided by Equifax together with ConsentsOnline (an Equifax company).
Equifax will likely also process personal data about you as part of Equifax’s core credit referencing activities, and some of this processing will enable Equifax to provide certain open banking services (for example checking your identity).
How and why Equifax process your personal data for its core credit referencing activities, is explained in both the ‘Credit Reference Agency Information Notice’ (CRAIN) and the ‘Equifax Information Notice’ (EIN). Copies of which can be found here:
These will apply in conjunction with this Privacy Notice so please ensure that you review each document, as applicable.
1 HOW CAN YOU CONTACT US?
We can be contacted by any of the following methods:
Post: Equifax Ltd, Customer Service Centre, PO Box 10036, Leicester, LE3 4FS.
Web Address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions.html
Secure email via: www.equifax.co.uk/ask
Additionally, Equifax Ltd has a dedicated Data Protection Officer who can be contacted as follows:
Post: Equifax Ltd, Data Protection Officer, PO Box 10036, Leicester, LE3 4FS.
Email: UKDPO@equifax.com
2 WHAT TYPES OF PERSONAL DATA DO WE PROCESS AND WHERE DO WE GET IT?
Depending on the open banking services you require, we will collect and/or receive the following types of information:
| Category |
Type of personal data |
Where collected from |
Identifying Information |
- Full Name
- Postal address
- Date of Birth
- Telephone number
- Declared income and expenditure
|
You directly (e.g. where prompted to provide such information) |
Financial Account Information |
- Account balance, overdraft or credit limit, incoming and outgoing transactions, including the amount, data and description of transaction (together, “Transaction Data”)
- Account number and sort code
|
You directly (e.g. where prompted to provide such information) or from the relevant financial provider which is providing access to your account |
Analysed Information |
- Transaction Data analysed to verify you income, affordability and/or otherwise assess your financial standing,including indicators of potential financial vulnerability.
|
Generated by Equifax, ConsentsOnline or our subcontractors |
Contact Information |
- Your Identifying Information (excluding date of birth, income and expenditure), plus your e-mail address
|
You directly (e.g. where prompted to provide such information) |
Online Information |
- e-mail address
- Internet protocol (IP) address
- Browser type
- Date and time of open banking portal access
- User ID and passwords (where you create an account with ConsentsOnline)
|
The device you use to access the open banking services, and information you provide directly to use where prompted to do so. |
| Credit Reference Information |
- Information in relation to your financial status, may be processed by Equifax to provide its core credit reference services, as explained in the “CRAIN” at www.equifax.co.uk/crain and the “Equifax Information Notice” at www.equifax.co.uk/ein
|
Information already held by Equifax and provided to Equifax by lenders or obtained from publicly available sources |
General Information |
- Communications we may have sent or received from you in relation to your open banking services
|
You directly |
3 WHAT DO WE DO WITH YOUR PERSONAL DATA AND WHY?
Equifax and ConsentsOnline have been engaged by the lender or other third parties that you have authorized us to share your account Transaction Data with (the “Approved Recipient”).
ConsentsOnline is registered with the Financial Conduct Authority as an Account Information Services Provider (AISP). Practically, this means that ConsentsOnline will, with your permission:
- use your name and financial account details to request access to your financial account;
- collect and store your Transaction Data;
- provide your Transaction Data to Equifax so that Equifax can (i) analyse and categorise it to create consolidated 'Analysed Data', which it shall make available to your Approved Recipient(s) together with the Transaction Data; and (ii) make use of the Transaction Data as set out in this Privacy Notice.
Equifax or its appointed reseller will have an agreement in place with the Approved Recipient(s) to provide the above noted services via ConsentsOnline and Equifax. It is therefore Equifax's role to facilitate the analysis and categorisation of your Transaction Data and make it available to the Approved Recipient(s), including via a reseller of our services, where applicable.
In addition, Equifax will also use your Transaction Data to provide any other services you may have requested to receive from Equifax, to create aggregated and anonymised analysis for research and market intelligence purposes, or to undertake any other processing set out in this Privacy Notice.
Under what lawful basis do we process your personal data?
We are required by law to always have a ‘lawful basis’ (meaning a reason or justification) for processing your personal data. There are a number of lawful bases set out in data protection law but we consider the following to be most relevant to our processing of your personal data:
- The processing is necessary in order for us to enter into or perform a contract with you (“Contract”)
- The processing is necessary to comply with a legal obligation (“Legal Obligation”)
- The processing is necessary for the purposes of legitimate interests pursued by us or third party, and these are not overridden by your interests or fundamental rights (“Legitimate Interest”)
The table below sets out the purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.
PLEASE BE AWARE: The regulations which specifically relate to Open Banking services require that your consent be obtained in order to access your Transaction Data. This consent does not relate to the processing of your Transaction Data once access has been granted. Any processing of your Transaction Data (or other personal data) is on the lawful basis set out below.
Please also note that where we have indicated that our use of your personal data is necessary for us to comply with legal obligations or for us to take steps, at your request, to enter into an arrangement with you (or perform it), and you choose not to provide the relevant personal data, we may not be able to enter into or continue our arrangement with you. Practically, this may mean that we cannot provide Open Banking services if you have not provided certain personal data which is necessary to verify your identity or gain access to your Transaction Data.
| Purposes of processing |
Contract |
Legal Obligation |
Legitimate Interest |
|
Using your Identifying Information and Financial Account Information to help verify your identity and request access to your Transaction Data from your bank or other financial provider.
This will include:
- verifying the information you provide with the Credit Reference Information Equifax already hold about you;
- disclosing the information to your nominated banking provider, so they can confirm your identity and grant access to your Transaction Data; and
- conducting any additional verification checks, for example by sending a SMS text message with a passcode to enable you to gain access to your account and Transaction Data.
|
✔ |
✔ We are required by law to ensure your identity prior to providing services |
✔ It is in our legitimate interest to take reasonable steps to help verify your identity. |
Disclosing your Transaction Data to you and/or an Approved Recipient |
✔ |
|
✔ It is in the legitimate interest of Approved Recipients to receive your transaction data in order to assess their ability to provide products/services to you. |
|
Analyzing your Transaction Data to generate Analysed Data and form a picture of your financial standing, including to:
- help verify income and outgoings;
- help assess affordability;
- help assess creditworthiness;
- help verify income and outgoings;
- help prevent and detect fraud, money laundering and other criminal activity;
- enable monitoring of your financial circumstances; and
- assist in the provision of debt management services, including to help reclaim debt owed by you,
- Assist with identifying potential indicators of financial vulnerability, such as the proportion of expenditure on high cost short term loans, or gambling, compared to income,
to be shared with you or an Approved Recipient.
|
✔ |
|
✔ It is in the legitimate interest of Approved Recipients to receive a breakdown / assessment of your transaction data in order to assess creditworthiness and affordability,and potential indicators of financial vulnerability,to help determine whether they can provide products/services to you. It is also in our legitimate interest to provide these services to Approved Recipients which are also our clients. |
|
Combining Transaction Data (and our analysis of such data) with the Credit Reference Information Equifax holds about you, to provide a more complete picture of your financial standing, and making this ‘picture’ available to you or an Approved Recipient.
We may also combine and anonymise your Transaction Data, our analysis of the Transaction Data, and the Credit Reference Information we hold about you to create an anonymised aggregated dataset that can be used for research and statistical purposes.
Please see the “CRAIN” at www.equifax.co.uk/crain and the “Equifax Information Notice” at www.equifax.co.uk/ein for more information about how Credit Reference Information is collated and processed.
|
✔ |
|
✔
It is in the legitimate interest of Approved Recipients to receive an assessment of your financial standing (supported by your Transaction Data) in order to assess creditworthiness and affordability, to help determine whether they can provide products/services to you
It is also in our legitimate interest to aggregate and anonymise the data we hold about you to create an anonymised dataset to be used for research purposes and better improve our products and services. These data sets will be anonymous and will not identify you as an individual.
|
Using your Identifying Information and/or Online Information to verify or enforce compliance with the policies and terms applicable to your use of the Open Banking services we provide |
|
|
✔ It is in our legitimate interest to ensure that our services are being used appropriately |
Use of your information to detect and report suspected incidents of fraud, or for general crime prevention |
✔ Where we are compelled to process your data in compliance with laws, for example those relating to fraud prevention |
|
✔ It is in our legitimate interest to prevent crime and instances of fraud. |
Using your Contact Information to respond to your enquiries and/or complaints |
|
|
✔ It is in our mutual interest to respond |
Using your Contact Information to send you information relevant to any Open Banking services you receive from us |
✔ Where we are required to provide any information under contract |
|
✔ It is in our mutual interest that you be updated with pertinent information |
Using Identifying Information, Contact Information and/or Online Information to enable you to create accounts and log-in or otherwise gain access to the Open Banking services |
✔ Where we are required to provide such access under contract |
|
✔ It is in our mutual interest to provide you with a private log-in in order to access services |
Using any relevant personal data to establish and enforce our legal rights or to comply with a court order, law enforcement requirement (or other legally mandated request) or legal obligation |
|
✔ |
|
Using any relevant personal data for our general record keeping, customer management or Website user management |
✔ Where we are required to maintain such records under contract |
|
✔ It is in our legitimate interest to store Open Banking service data and Website user data so that we can refer back to it |
Using any relevant personal data in relation to managing the proposed or actual sale, restructuring or merging of any or all part(s) of our business |
|
✔ |
✔ We have legitimate interest in being able to sell or restructure our business and maintain continuity for us or a buyer |
Equifax will use your Transaction Data for internal product development to help refine and develop our open banking services and transaction data categorisation mechanisms. |
|
|
✔ It is in our legitimate interest to ensure that our clients receive the best possible service, and it is in the interest of individual data subjects for us to ensure that our services best reflect the financial circumstances of the individual |
Equifax will aggregate and anonymise the Transaction Data it receives so that it can conduct anonymised analysis and research, which it may make available to third parties. |
|
|
✔ It is in our legitimate interest to aggregate and anonymise data so that we can analyse the markets in which we and our clients operate. |
We may also use your personal data to conduct research and analysis, including to produce anonymous statistical reports. Where appropriate, we will convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable (thereby creating anonymized data). Anonymized data is not personal data and can be used, for example, to help us understand and improve the analytics we undertake of individual transaction data. We may also share anonymised data or the research we produce from our analysis of anonymised data, with third parties.
4 WHO DO WE SHARE YOUR PERSONAL DATA WITH AND WHY?
We may share your information with the following entities:
Affiliates and Third Parties: companies that control, are controlled by, or under common control with Equifax, as well as selected third parties with whom Equifax and/or ConsentsOnline works.
These recipients within and outside our group may be processing your personal data on our behalf as a Service Provider (see below) or they may be processing it for their own purposes as a controller in their own right.
We have summarised below the categories of recipients with whom we are likely to share your personal data:
- Service Providers: We may share your personal data with entities that provide services to us, such as vendors and suppliers that provide technology, services, and/or content for the operation and maintenance of the Open Banking services we provide. Access to your personal data by these service providers is limited to the information reasonably necessary for the Service Provider to perform its limited function. We take steps to help ensure that Service Providers keep your personal data confidential and comply with our privacy and security requirements.
A key service provider to Equifax and ConsentsOnline is AccountScore Limited, an Equifax group company incorporated in England and Wales with company number: 10084932, and its registered address at 1 Angel Court, London, EC2R 7HJ (“AccountScore”). AccountScore may access your Transaction Data on our behalf for the purposes of analyzing and categorizing your Transaction Data.
- Agents: ConsentsOnline appoints certain third parties as agents to act on its behalf and provide account information services to consumers. In practice this means that an agent might operate a portal through which you can give your authorisation for Open Banking services and/or access your Transaction Data. This portal will be made available by ConsentsOnline through the relevant agent. A list of our agents can be found on the FCA’s website at the following address: https://register.fca.org.uk/s/firm?id=001b0000042tpInAAI
- Disclosure for Legal Reasons or as necessary to protect Equifax and/or ConsentsOnline: We may release personal data to other parties: (1) to comply with valid legal requirements such as laws, regulations, search warrants or court orders; (2) in special cases, such as a physical threat to you or others, a threat to public security, or a threat to Equifax and/or ConsentsOnline’s systems or networks; or (3) cases in which Equifax and/or ConsentsOnline believes it is reasonably necessary to investigate or prevent suspected or actual harm, abuse, fraud, or illegal conduct.
- Changes in Equifax’s corporate structure: If all or any part of Equifax or ConsentsOnline is sold, merged or otherwise transferred to another entity (including a transfer of assets), your personal data may be transferred as part of that transaction.
Approved Recipients: As explained above, ‘Approved recipients’ are those entities (for example, lenders) approved by you to receive copies of your Transaction Data, the analysis we undertake of your Transaction Data and/or any Credit Reference Information they are entitled to receive.
Through the ConsentsOnline Open Banking portal (the “Portal”), you can control access rights to your Transaction Data. For example, you will be able to tell us the:
- reasons for disclosing your data to your Approved Recipient;
- type of access granted and for how long (for example, whether access to your Transaction Data is unlimited, until a specific date or on a one-off basis only); and
- frequency of access to your Transaction Data (for example, whether this is restricted to daily or weekly access).
Through the Portal we also make your Transaction Data available to you for review.
Approved Recipients will process your personal data as independent Controllers, in accordance with their own Privacy Notice. Please ensure that you review their Privacy Notice to understand how and why your personal data is being used and what rights you have in relation to that use by the Approved Recipient.
5 WHERE IN THE WORLD IS YOUR PERSONAL DATA PROCESSED?
Equifax and ConsentsOnline are UK based companies and the personal data held by Equifax and ConsentsOnline is stored in the UK on encrypted servers at a secure physical location, whether these be our own servers or those of cloud service providers that we use.
Equifax and ConsentsOnline are also part of the Equifax global group of companies, with operations and service providers elsewhere inside and outside the UK. Your personal data may be accessed by or transferred to such group companies or third parties in other jurisdictions.
Please be aware that the data protection laws in some jurisdictions may not provide the same level of protection to your personal data as is provided to it under UK laws. Nevertheless, internal policies and controls are in place seeking to ensure that personal data is kept secure as well as to minimise the risk of any personal data being lost, misused, disclosed or accidently destroyed.
Non-UK Users: Our Open Banking services are intended for users within the UK. If you use these services from outside the UK, please be aware that information you provide to us or that we obtain as a result of your use of these services, may be processed and transferred to the United Kingdom and be subject to the laws of the UK.
6 HOW DO WE COMMUNICATE WITH YOU?
We will use your personal data in order to communicate relevant information in relation to your use of our Open Banking services, to respond to any queries or complaints you may have and to provide updates in relation to the services you receive from us.
We do not use the information you provide to us through use of the Open Banking services, nor do we use any Transaction Data we receive from your account provider, for any direct marketing purposes.
7 HOW DO WE SAFEGUARD YOUR PERSONAL INFORMATION
We are committed to protecting the security of your personal data and implement appropriate technical and organisational measures taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of you, as an individual.
8 COOKIES AND ONLINE TOOLS
When you use the ConsentsOnline website at https://consents.online/ (the "Website"), we will use cookies or similar online tools.
Cookies are small pieces of data that websites store on your browser when you visit them. Our online tools operate similar to 'strictly necessary cookies' and are used to ensure that our website is able to function properly. We don't have to ask for your consent to use these online tools. They are not used to identify you, and will only be used for the duration of your session.
You may disable these online tools by changing your browser settings, but this may affect how the website functions. For more information about how to use your browser settings to clear your browser data or to manage cookies, check your browser 'Help' function."
9 HOW LONG DO WE KEEP YOUR PERSONAL DATA?
We will only retain your personal data for a limited period of time and for no longer than is necessary for the purposes for which we are processing it.
For example, we will typically retain personal data in relation to your use of our Open Banking services, for so long as you receive those services and for a period of up to 6 years following cancellation of the services.
In some cases, it may be necessary for us to retain your personal data for different periods. The factors that direct how long we will retain personal data include the following:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party
- the type of information held about you; and
- whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.
For more information regarding our retention periods, please contact us.
10 WHAT ARE YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA?
Data protection law provides you with a number of rights in relation to your personal data (which are summarized below). You can exercise these rights by contacting us – please see the section ‘HOW CAN YOU CONTACT US’ above.
Subject to the requirements of applicable laws and certain limitations or exemption, you have the right to:
- access your personal data and be provided with certain information in relation to it, such as the purpose for which it is processed;
- require us to correct any inaccuracies in your personal data without undue delay;
- require us to erase your personal data (please be aware that the right of erasure under data protection law is not an absolute right as it only applies in relation to one or more specific circumstances);
- require us to restrict the processing of your personal data;
- receive the personal data which you have provided to us in a machine readable format, where we are processing it on the basis consent or to comply with a contract with you (please see the above tables) and such processing is automated; and
- object to a decision that we make which is based solely on automated processing of your personal data.
Access to your credit report and corrections
In addition to the rights listed above, you also have the right to obtain your statutory credit report free of charge from Equifax. This report contains all the personal data Equifax holds about you that is relevant to your financial standing. Click here if you wish to find out how to exercise this right:
https://www.equifax.co.uk/Products/credit/statutory-report.html
Should you wish to request access to all of the personal data Equifax holds about you (not just your credit report) you have the right to do so (as noted above). Click here if you wish to find out how to exercise this right:
Equifax wants to make sure that your personal information is accurate and up to date. However, please be aware that as a credit reference agency, much of the information Equifax holds about you is received from lenders and banks. Equifax is not able to automatically amend this information upon request. Equifax must instead follow a set process of informing the relevant lender and seeking their clarity as to the validity of the data. While this process is undertaken, Equifax will make a note on your file that a rectification request has been made. For more details on your rights please review the Equifax Information Notice at www.equifax.co.uk/ein
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the UK data protection regulator. More information can be found on the ICO website at https://ico.org.uk/
11 CHANGES TO THIS PRIVACY NOTICE
We may change this online Privacy Notice from time to time.
